Advertising Bogons (Or Was I?)
Been a while since I did a “War Stories” post - here’s one about a routing policy I screwed up recently. Gave me a fright that I’d really messed something up, but in the end it was no big deal, and it taught me something about who uses route collector info.
Uh-oh…we’re announcing bogons?
While looking at bgp.he.net/AS32590 for something unrelated, I saw this:
Investigating more, it tells me this:
What the hell is going on? We should never be announcing bogon ranges to any peer. I rushed off to check some of our peering sessions, e.g
1
2
3
4
5
6
7
8
lindsayh@rtr> show route advertising-protocol bgp 86.104.125.69
inet.0: 1009955 destinations, 8974886 routes (1008431 active, 2 holddown, 2770 hidden)
Prefix Nexthop MED Lclpref AS path
* 155.133.226.0/24 Self I
* 155.133.229.0/24 Self I
* 155.133.250.0/24 Self I
* 162.254.197.0/24 Self I
We’re just advertising the normal set of prefixes I expect at that site. Defintely not advertising anything unusual to HE. So why do they think we’re advertising bogons?
Hmmm…Cloudflare Radar also says we’re announcing junk. Must be a clue there.
A NOC that responds
I reached out to HE, and their NOC is terrific - they responded very quickly on a Friday evening, even though we’re not a paying customer. Kudos to them.
They pointed out that their Super Looking Glass gives you an indication of where they’re learning those prefixes from. For example, if you look at 155.133.226.0/24, you’ll see “Learned from: route-views.sg”
This was the bit I’d missed - bgp.he.net is not just using information from what they see advertised to them. They are also looking at data received by route collector services, such as RouteViews. I had recently added sessions with RouteViews. They wanted to see our full tables, to get another view of what a well-peered edge network sees. I had somewhat carelessly advertised them our full tables…which includes some prefixes that we use internally. We of course strip those out for advertisements to regular peers, but I had reused a policy that should only be used for our internal sessions.
No Real Harm
No real harm done, since we didn’t advertise those prefixes to any “real” peers. Plus of course everyone else is stripping bogons on received prefixes, right? Right?
But it was interesting for me to learn more about how sites like bgp.he.net and radar.cloudflare.com get their data.
This article is Part 13 in a 13-Part Series.
- Part 1 - War Stories: Loops that Permanently Broke the Network
- Part 2 - War Stories: Switches Lying about Duplex Mismatches
- Part 3 - War Stories: Check Point Meltdown
- Part 4 - War Stories: Dual-Vendor Firewall Strategy
- Part 5 - War Stories: Proxy ARP Auto-Configuration
- Part 6 - War Stories: Gratuitous ARP and VRRP
- Part 7 - War Stories: Cursed VLANs
- Part 8 - War Stories: Unix Security
- Part 9 - War Stories: ITIL Process vs Practice
- Part 10 - War Stories: Closing out Projects
- Part 11 - War Stories: Backup NICs, DNS and AD
- Part 12 - War Stories: Always Check Your Inputs
- Part 13 - This Article